Problem: anaconda failed to fetch kickstart from http://IP
Expected outcome: The client to PXE boot successfully
Foreman and Proxy versions: 3.15
Foreman and Proxy plugin versions:
Distribution and version: Rocky Linux 9
Other relevant data: curl failed to verify the legimacy of the server and therefore could not established a secure connection
I donāt know much about provisioning, but I do know that Anaconda canāt use HTTPS to retrieve the kickstart repo. It must do it insecurely.
Hi lenz, my provisioning network/interface (non routable) is different than the forman api/url (secure), on the above output it is trying to reach over http. Another key factor is that I am using a custom CA certificate. So although there is an SSL error, the url used by anaconda is unsecured
Thank you,
The error message you provided suggests curl is attempting an https url, so if the url you have in mind is not https, that must not be the url that is generating that error, and it may be worth figuring out what the https url is that is in fact generating that error.
Comments in my customized Kickstart template suggest that at some point I was having trouble because @additional_media was ending up with https urls for reasons (similar to your situation?) I didnāt intend and couldnāt figure out, and my solution was to rpm -i ānodeps ``http://x.x.x.x/pub/katello-ca-consumer-latest.noarch.rpm in a %pre section.
Hi Quartsize, thank you for your input. Iām also suspecting the template since Iām using the default one. Iāve redeployed everything, but still no luck. Iām provisioning on a private, non-routable network, but Foreman continues to make calls to the public IPās FQDN. Iāll look further into the template, but if you can share any installation or configuration steps you applied, it would be very helpful. Thanks!
I believe I know whatās happening with this, there is a rewrite rule on foremanās URL that re-directs http to https (for the web interface) there is a a situation (Iām trying to dig it out as Iāve hit it in the past but not for a long time) where the kickstart URL gets caught in this, so when the client requests http://foreman.something/unattended/kickstart-node.ks, it actually redirects it to https://foreman.something/unattended/kickstart-node.ks (which what appears to be happening with your curl request)
Yes and I would like to add to this that I am trying to use a different NIC as provisioning interface which is on a private network. So my other error is that the client is trying to get the content ( content provisioning) vi http://foreman.exampl.com and is unable to resolve it
marking the nic as the āprovisioningā nic normally resolves this (assuming the dependencies such as DNS and routing are setup on that other nic to interact with your provisioning sources